What is the CVSS score of CVE-2026-29107?

CVE-2026-29107 has a CVSS 3.1 base score of 5.0 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Suitecrm are affected by CVE-2026-29107?

Organizations using SuiteCRM should be aware of moderate risk from CVE-2026-29107, a server-side request forgery vulnerability rated CVSS 5.0.

Suitecrm CVE-2026-29107

MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-03-19 security-advisories@github.com

SSRF Suitecrm

5.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.0 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 19, 2026 - 23:30 vuln.today

CVE Published

Mar 19, 2026 - 23:16 nvd

MEDIUM 5.0

DescriptionGitHub Advisory

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with <img> tags. When a PDF is exported using this template, the content (for example, <img src=http://{burp_collaborator_url}> is rendered server side, and thus a request is issued from the server, resulting in Server-Side Request Forgery. Versions 7.15.1 and 8.9.3 patch the issue.

AnalysisAI

Server-Side Request Forgery in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to craft malicious PDF templates containing image tags that trigger server-side HTTP requests when PDFs are generated. An attacker with login credentials can exploit this to scan internal networks, access local services, or exfiltrate data from the server's perspective. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Access to internal services, cloud metadata endpoints, or other resources not intended to be publicly accessible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker provides a URL pointing to an internal service (e.g., http://169.254.169.254/latest/meta-data/) through a vulnerable parameter, causing the server to fetch and return internal data.
Remediation	Validate and whitelist allowed URLs and IP ranges. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-29107 vulnerability details – vuln.today

Back

Suitecrm CVE-2026-29107

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code